Skip to content

ci: scope down GitHub Token permissions#2762

Merged
justsmth merged 31 commits intoaws:mainfrom
AdnaneKhan:update/scopedown-token
Oct 22, 2025
Merged

ci: scope down GitHub Token permissions#2762
justsmth merged 31 commits intoaws:mainfrom
AdnaneKhan:update/scopedown-token

Conversation

@AdnaneKhan
Copy link
Copy Markdown
Contributor

@AdnaneKhan AdnaneKhan commented Oct 21, 2025
edited
Loading

Scope Down GitHub Token Permissions

This PR updates GitHub Actions workflows to use minimal required permissions instead of the default elevated permissions.

Why This Matters

Following the principle of least privilege, workflows should only have the specific permissions they need to function.

Changes

This PR adds explicit permissions: blocks to workflows that currently rely on default permissions, scoping them down to only what's required for their operations.

Please review the changes to ensure the specified permissions match your workflow requirements.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.

@AdnaneKhan
ci: scope down permissions for image-build-fedora31.yml
92ae1de
@AdnaneKhan
ci: scope down permissions for integration_omnibus.yml
d3ce4a5
@AdnaneKhan
ci: scope down permissions for image-build-al2.yml
bf4403a
@AdnaneKhan
ci: scope down permissions for integrations.yml
cc89f0f
@AdnaneKhan
ci: scope down permissions for cross-test.yml
1a97aba
@AdnaneKhan
ci: scope down permissions for codecov-ci.yml
dd6e7aa
@AdnaneKhan
ci: scope down permissions for linux-multi-arch-omnibus.yml
35f9946
@AdnaneKhan
ci: scope down permissions for image-build-centos8.yml
b150d48
@AdnaneKhan
ci: scope down permissions for image-build-ubuntu1604.yml
e5858b0
@AdnaneKhan
ci: scope down permissions for go.yml
7b58a58
@AdnaneKhan
ci: scope down permissions for image-build-al2023.yml
472c49a
@AdnaneKhan
ci: scope down permissions for cmake.yml
71d3412
@AdnaneKhan
ci: scope down permissions for image-build-ubuntu1004.yml
cee6c94
@AdnaneKhan
ci: scope down permissions for aws-lc-rs.yml
2511c2e
@AdnaneKhan
ci: scope down permissions for nix.yml
7dc4ff7
@AdnaneKhan
ci: scope down permissions for misc-tests.yml
fc21b58
@AdnaneKhan
ci: scope down permissions for clang-tidy-post.yml
f33a455
@AdnaneKhan
ci: scope down permissions for linux_x86_omnibus.yml
3b30e91
@AdnaneKhan
ci: scope down permissions for image-build-ubuntu1804.yml
144f4e3
@AdnaneKhan
ci: scope down permissions for clang-tidy-review.yml
8bd09c1
@AdnaneKhan
ci: scope down permissions for actions-ci.yml
561f94e
@AdnaneKhan
ci: scope down permissions for windows-alt.yml
5a2c4a6
@AdnaneKhan
ci: scope down permissions for image-build-ubuntu2004.yml
6cffcc3
@AdnaneKhan
ci: scope down permissions for image-build-ubuntu2204.yml
0327dee
@AdnaneKhan
ci: scope down permissions for linux_arm_omnibus.yml
8962034
@AdnaneKhan
ci: scope down permissions for stale_issue.yml
e82beeb
@AdnaneKhan
ci: scope down permissions for image-build-centos7.yml
1ba368f
@AdnaneKhan
ci: scope down permissions for opensslcomparison.yml
b331cc7
@AdnaneKhan
ci: scope down permissions for image-build.yml
813252e
@AdnaneKhan
ci: scope down permissions for abidiff.yml
681be73
@AdnaneKhan AdnaneKhan marked this pull request as ready for review October 21, 2025 20:58
@AdnaneKhan AdnaneKhan requested a review from a team as a code owner October 21, 2025 20:58
@codecov-commenter
Copy link
Copy Markdown

codecov-commenter commented Oct 21, 2025

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 78.65%. Comparing base (e1eddc7) to head (512763b).

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #2762      +/-   ##
==========================================
- Coverage   78.65%   78.65%   -0.01%     
==========================================
  Files         678      678              
  Lines      116334   116334              
  Branches    16314    16314              
==========================================
- Hits        91500    91499       -1     
- Misses      24045    24047       +2     
+ Partials      789      788       -1

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@justsmth justsmth enabled auto-merge (squash) October 21, 2025 23:01
@justsmth justsmth disabled auto-merge October 22, 2025 17:16
@justsmth justsmth merged commit 16c148a into aws:main Oct 22, 2025
358 of 377 checks passed
samuel40791765 pushed a commit to samuel40791765/aws-lc that referenced this pull request Oct 23, 2025
@AdnaneKhan @samuel40791765
ci: scope down GitHub Token permissions (aws#2762)
75de743 
This PR updates GitHub Actions workflows to use minimal required
permissions instead of the default elevated permissions.

Following the principle of least privilege, workflows should only have
the specific permissions they need to function.

This PR adds explicit `permissions:` blocks to workflows that currently
rely on default permissions, scoping them down to only what's required
for their operations.

Please review the changes to ensure the specified permissions match your
workflow requirements.

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license and the ISC license.
@dougch dougch mentioned this pull request Oct 24, 2025
Merged
@BrewTestBot BrewTestBot mentioned this pull request Oct 27, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@skmcgrail skmcgrail skmcgrail approved these changes

@justsmth justsmth justsmth approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@AdnaneKhan @codecov-commenter @skmcgrail @justsmth